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Abstract — Smart  grid  is  a  cyber-physical  system  that  integrates  power  infrastructures  with  information  technologies.  To  facilitate 
efficient  information  exchange,  wireless  networks  have  been  proposed  to  be  widely  used  in  the  smart  grid.  However,  the  jamming 
attack  that  constantly  broadcasts  radio  interference  is  a  primary  security  threat  to  prevent  the  deployment  of  wireless  networks  in 
the  smart  grid.  Hence,  spread  spectrum  systems,  which  provide  jamming  resilience  via  multiple  frequency  and  code  channels,  must 
be  adapted  to  the  smart  grid  for  secure  wireless  communications,  while  at  the  same  time  providing  latency  guarantee  for  control 
messages.  An  open  question  is  how  to  minimize  message  delay  for  timely  smart  grid  communication  under  any  potential  jamming 
attack.  To  address  this  issue,  we  provide  a  paradigm  shift  from  the  case-by-case  methodology,  which  is  widely  used  in  existing 
works  to  investigate  well-adopted  attack  models,  to  the  worst-case  methodology,  which  offers  delay  performance  guarantee  for 
smart  grid  applications  under  any  attack.  We  first  define  a  generic  jamming  process  that  characterizes  a  wide  range  of  existing 
attack  models.  Then,  we  show  that  in  all  strategies  under  the  generic  process,  the  worst-case  message  delay  is  a  U-shaped 
function  of  network  traffic  load.  This  indicates  that,  interestingly,  increasing  a  fair  amount  of  traffic  can  in  fact  improve  the  worst- 
case  delay  performance.  As  a  result,  we  demonstrate  a  lightweight  yet  promising  system,  transmitting  adaptive  camouflage  traffic 
(TACT),  to  combat  jamming  attacks.  TACT  minimizes  the  message  delay  by  generating  extra  traffic  called  camouflage  to  balance 
the  network  load  at  the  optimum.  Experiments  show  that  TACT  can  decrease  the  probability  that  a  message  is  not  delivered  on  time 
in  order  of  magnitude. 
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1  Introduction 

MART  grid  is  an  emerging  cyber-physical  system  that 
incorporates  networked  control  mechanisms  (e.g., 
advanced  metering  and  demand  response)  into  conven¬ 
tional  power  infrastructures  [1].  To  facilitate  information 
delivery  for  such  mechanisms,  wireless  networks  that  pro¬ 
vide  flexible  and  untethered  network  access  have  been  pro¬ 
posed  and  designed  for  a  variety  of  smart  grid  applications 
[2],  [3],  [4],  [5],  such  as  substation  automation  [2],  [4]  and 
home  metering  [5].  As  a  result,  wireless  networks  have 
become  an  essential  integration  to  the  communication  infra¬ 
structure  for  the  smart  grid. 

However,  the  use  of  wireless  networks  introduces  poten¬ 
tial  security  vulnerabilities  due  to  the  shared  nature  of  wire¬ 
less  channels.  Indeed,  it  has  been  pointed  out  in  [1],  [6]  that 
the  jamming  attack,  which  uses  radio  interference  to  disrupt 
wireless  communications  [7],  [8],  [9],  can  result  in  network 
performance  degradation  and  even  denial-of-service  in 
power  applications,  thereby  being  a  primary  security  threat 
to  prevent  the  deployment  of  wireless  networks  for  the 
smart  grid.  How  to  defend  against  jamming  attacks  is  of 
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critical  importance  to  secure  wireless  communications  in 
the  smart  grid. 

There  have  been  extensive  works  on  designing  spread 
spectrum  based  communication  schemes,  which  provide 
jamming  resilience  to  conventional  wireless  networks  by 
using  multiple  orthogonal  frequency  [8],  [10]  or  code  [9], 
[11]  channels.  Interesting  enough,  most  efforts  adopt  a 
case-by-case  (or  model-by-model)  methodology  to  investi¬ 
gate  how  a  message  can  be  sent  to  its  destination.  In  other 
words,  based  on  commonly-adopted  jamming  attack  mod¬ 
els  (e.g.,  periodic,  memoryless,  and  reactive  models  [12]), 
existing  works  focus  on  designing  anti-jamming  communi¬ 
cation  schemes  for  message  delivery  in  conventional  wire¬ 
less  networks. 

However,  the  NIST  has  recently  imposed  a  strong 
requirement  for  smart  grid  security:  power  system  operations 
must  be  able  to  continue  during  any  security  attack  or  compromise 
(as  much  as  possible)  [1].  This  means  that  the  widely-used 
case-by-case  methodology  cannot  be  readily  adapted  to 
wireless  smart  grid  applications,  because  it  is  not  able  to 
guarantee  reliable  communication  under  any  potential  jam¬ 
ming  attack.  To  provide  such  a  guarantee,  securing  wireless 
smart  grid  applications  requires  a  paradigm  shift  from  the 
case-by-case  methodology  to  a  new  worst-case  methodology 
that  offers  performance  assurance  under  any  attack  scenario. 
On  the  other  hand,  it  has  been  shown  that  the  message 
delay  performance  can  be  substantially  worsen  and  even 
violate  the  timing  requirement  of  control  applications  under 
inappropriate  security  design.  For  example,  in  an  experi¬ 
mental  substation  network  [13],  if  a  RSA-based  scheme  is 
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used  for  authenticating  trip  protection  messages,  40  percent 
messages  cannot  be  delivered  and  verified  under  the  timing 
requirement  of  3  ms.  This  show  that  in  addition  to  the 
necessity  of  using  the  worst-case  methodology,  security 
design  for  the  smart  grid  should  also  attempt  to  minimize 
the  message  delay  such  that  it  always  meets  the  timing 
requirement.  As  a  result,  in  this  paper,  we  aim  at  solving  a 
fundamental  yet  open  question  for  wireless  smart  grid 
applications:  how  to  minimize  the  message  delay  under  worst- 
case  jamming  attacks.  The  answer  to  this  question  cannot  only 
help  us  design  network  strategies  against  worst-case  jam¬ 
ming  attacks  in  wireless  smart  grid  applications,  but  also 
offer  general  guidance  into  jamming  defense  strategies  in 
cyber-physical  systems. 

In  this  paper,  we  address  this  issue  by  considering  a 
wireless  network  that  uses  multiple  frequency  and  code 
channels  to  provide  jamming  resilience  for  smart  grid  appli¬ 
cations.  We  consider  two  general  jamming-resilient  commu¬ 
nication  modes  for  smart  grid  applications:  coordinated  and 
uncoordinated  modes  [8],  [9],  [10].  In  coordinated  mode, 
the  sender  and  receiver  share  a  common  secret  or  key  (e.g., 
code-frequency  channel  assignment),  which  is  unknown  to 
attackers.  Accordingly,  an  attacker  has  to  choose  its  own 
strategy  to  disrupt  the  communication  between  the  trans¬ 
mitter  and  receiver.  Coordinated  communication  is  a  con¬ 
ventional  model  in  spread  spectrum  systems.  However,  the 
transmitter  and  receiver  may  not  share  a  common  secret  ini¬ 
tially  (e.g.,  a  node  joins  a  network  and  attempts  to  establish 
a  secret  with  others).  Uncoordinated  communication  is 
therefore  used  to  help  establish  such  an  initial  key.  In  unco¬ 
ordinated  communication,  the  sender  and  receiver  ran¬ 
domly  choose  a  frequency-code  channel  to  transmit  and 
receive,  respectively.  A  message  can  be  delivered  from  the 
sender  to  the  receiver  only  if  they  both  reside  at  the  same 
channel,  and  at  the  same  time  the  jammer  does  not  disrupt 
the  transmission  on  the  channel. 

As  power  applications  are  time-critical  with  strict  timing 
requirements  (e.g.,  3  and  10  ms  in  substation  trip  protection 
[14]),  message  delivery  becomes  invalid  as  long  as  its  delay 
D  is  greater  than  the  delay  threshold  a.  Therefore,  different 
from  existing  metrics  (e.g.,  throughput  or  packet  delivery 
ratio  [7])  to  evaluate  the  jamming  impact  in  conventional 
wireless  networks,  we  use  the  message  invalidation  proba¬ 
bility  P (D  >  a),  which  directly  reflects  timing  requirements 
of  power  applications,  to  measure  the  jamming  impact  in 
the  smart  grid.  Our  goal  is  to  minimize  P (D  >  a)  under  the 
worst-case  jamming  attack.  To  this  end,  we  first  define  a 
generic  jamming  process  that  includes  a  wide  range  of  exist¬ 
ing  jamming  models.  Then,  we  use  both  theoretical  analysis 
and  experimental  study  to  derive  P (D  >  a)  and  accord¬ 
ingly  design  a  solution  to  minimize  P {D  >  o)  under  jam¬ 
ming  attacks.  We  highlight  our  major  findings  as  follows: 

1)  We  propose  to  study  the  worst-case  performance 
under  a  generic  (rather  than  specific)  jamming  pro¬ 
cess.  We  show,  through  mathematical  derivations, 
that  the  worst-case  performance  in  terms  of  message 
invalidation  probability  exhibits  a  U-shaped1 

1.  Mathematically,  a  function  is  said  to  be  U-shaped  if  it  is  first- 
decreasing,  then-increasing. 


response  to  aggregated  network  traffic  load.  In  order 
words,  the  message  invalidation  probability  is  a 
first-decreasing,  then-increasing  function  of  network 
traffic  load. 

2)  Based  on  this  U-shape  effect,  we  propose  a  transmit¬ 
ting  adaptive  camouflage  traffic  (TACT)  system  that 
uses  "camouflage  traffic"  to  achieve  the  optimal 
aggregated  network  traffic  load  to  minimize  the  mes¬ 
sage  invalidation  ratio. 

The  underlying  explanation  behind  the  U-shape  phe¬ 
nomenon  and  the  TACT  anti- jamming  strategy  is  that  using 
camouflage  traffic  (i.e.,  redundant  traffic  transmitted  by 
TACT)  is  the  over-provision  of  bandwidth  in  a  smart  grid 
network,  where  time-critical  traffic  rate  is  smaller  than  the 
network  bandwidth.  By  sending  more  such  camouflage  traf¬ 
fic  (mixed  with  smart  grid  control  traffic)  to  the  network,  we 
can  force  a  jammer  to  "waste"  enough  jamming  capability 
on  the  camouflage  traffic  (because  the  jammer  has  no  way 
to  tell  the  camouflage  traffic  from  the  real  smart  grid  traffic), 
so  that  the  jammer  cannot  find  the  real  traffic  quickly 
enough.  Therefore,  the  message  invalidation  ratio  decreases 
when  we  send  camouflage  traffic  into  the  network  under 
jamming.  However,  if  the  rate  of  sending  camouflage  traffic 
keeps  increasing  and  approaches  the  network  bandwidth, 
more  network  collisions  will  happen  in  the  network, 
thereby  degrading  the  network  performance  (i.e.,  increasing 
the  message  invalidation  ratio).  As  a  result,  there  exists  an 
optimal  rate  to  send  camouflage  traffic  and  TACT  is  used  to 
adaptively  find  this  rate. 

Because  our  strategy  is  based  on  the  worst-case  method¬ 
ology,  the  U-shape  property  and  the  global  minimum  of  the 
message  invalidation  probability  are  independent  with  a 
particular  jamming  strategy,  thus  offering  performance 
guarantee  for  a  wireless  smart  grid  application  under  jam¬ 
ming  attacks. 

The  rest  of  this  paper  is  organized  as  follows.  In  Section  2, 
we  introduce  preliminaries  and  models.  In  Sections  3, 4,  and 
5,  we  derive  the  theoretical  results,  design  the  method  of 
TACT,  then  implement  TACT  in  our  experimental  smart 
grid  system.  Green  Hub,  respectively.  Finally,  we  conclude 
in  Section  6. 

2  Models  and  Problem  Formulation 

In  this  section,  we  first  introduce  backgrounds  on  wireless 
networks  for  the  smart  grid,  then  present  network  and  jam¬ 
ming  models,  finally  formulate  the  problem. 

2.1  Backgrounds:  Smart  Grid  over  Wireless 

Wireless  networks  are  in  general  used  for  local-area  smart 
grid  applications,  such  as  substation  automation  and  dis¬ 
tributed  energy  management  [2],  [3].  The  wireless  network 
for  a  local-area  power  system  consists  of  a  number  of  intelli¬ 
gent  electronic  devices  (IEDs)  and  the  gateway  node.  IEDs 
are  devices  installed  on  infrastructures  to  fulfill  power  man¬ 
agement  procedures  by  communicating  with  each  other. 
The  gateway  is  connected  to  the  smart  grid  backbone  net¬ 
work.  Local-area  messages  can  be  forwarded  via  the  gate¬ 
way  to  outside  networks. 

Due  to  the  broadcast  nature  of  wireless  channels,  wire¬ 
less  networks  for  the  smart  grid  are  inevitably  exposed  to 
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jamming  attacks,  which  transmit  radio  interference  to  pre¬ 
vent  legitimate  messages  from  being  received  [7],  [8],  [9].  It 
has  already  been  pointed  out  that  jamming  attacks,  by  dis¬ 
rupting  communication  between  power  equipments,  can 
possibly  result  in  grid  operation  instability  or  even 
regional  blackout  [15].  Therefore,  wireless  networks  for 
the  smart  grid  must  have  the  ability  to  combat  jamming 
attacks.  There  are  two  widely-used  spread  spectrum  tech¬ 
niques  [8],  [9],  [11],  [16]  to  defend  against  jamming  attacks 
in  the  literature,  (i)  Frequency  hopping  spread  spectrum 
(FHSS):  the  sender  and  receiver  switch  a  frequency  chan¬ 
nel  among  a  pool  of  candidate  channels  from  time  to  time. 
The  jammer  can  only  jam  a  transmission  when  it  is  on  the 
same  channel,  (ii)  Direct  sequence  spread  spectrum 
(DSSS):  the  sender  multiplies  the  original  data  with  a 
pseudo-noise  (PN)  sequence  (called  a  code  channel).  The 
receiver  uses  a  correlator  with  the  same  PN  sequence  to 
recover  the  original  message.  It  is  difficult  for  a  jammer  to 
disrupt  the  communication  unless  it  knows  the  PN 
sequence  used  by  the  channel. 

Both  FHSS  and  DSSS  have  been  proposed  and  used 
for  power  applications  [3],  [15],  [17],  [18].  For  example,  a 
DSSS  based  system  is  demonstrated  in  [17]  for  local  sub¬ 
station  automation.  Since  FHSS  and  DSSS  provide  jam¬ 
ming  resilience  by  using  multiple  orthogonal  frequency 
and  code  channels,  a  trivial  solution  for  decreasing  the 
message  delay  is  to  increase  the  number  of  frequency  or 
code  channels.  Then,  a  jammer  will  have  a  lower  chance 
to  transmit  jamming  signals  on  the  same  channel  used 
by  a  transmit-receive  pair.  However,  it  is  quite  undesir¬ 
able  in  practice  because  of  the  large  cost  of  network 
spectrum  resources.  Therefore,  we  attempt  to  minimize 
the  message  delay  in  a  wireless  network  with  fixed  num¬ 
bers  of  frequency  and  code  channels. 

2.2  Network  Model 

We  consider  a  wireless  local-area  network  AT(m,  Nf ,  Nc), 
where  m  is  the  number  of  nodes  (including  IEDs  and  the 
gateway)  in  the  network,  Nf  and  Nc  are  the  numbers  of 
frequency  and  code  channels,  respectively.  There  are  two 
major  types  of  traffic  flows  in  the  network:  1)  Local  traf¬ 
fic,  which  is  generated  from  one  node  to  another  for 
local  monitoring  or  protection;  2)  Outside  traffic,  which 
is  between  a  node  and  an  outside  node  via  the  smart 
grid  backbone  network. 

For  a  message  going  outside,  it  will  be  delivered  first 
from  an  IED  to  the  gateway  via  the  local-area  network  (local 
delivery),  then  to  the  destination  network  via  the  smart  grid 
backbone  network.  If  there  exists  a  jammer,  it  can  affect  the 
delay  performance  of  both  local  and  outside  traffic  types. 
For  outside  traffic,  the  delay  component  for  the  first  local 
delivery  can  dominate  in  the  overall  end-to-end  delay,  since 
the  smart  grid  backbone  network  is  always  of  high  band¬ 
width.  Therefore,  we  focus  on  the  message  delay  of  local 
traffic  in  the  network. 

It  is  worth  noting  that  in  the  smart  grid,  a  large  amount 
of  network  traffic  features  a  constant  traffic  model  for  con¬ 
tinuous  monitoring  and  control  of  power  equipments  [3], 
[14],  [19].  In  addition,  nodes  can  have  distinct  network  traf¬ 
fic  loads  for  different  applications.  For  example,  merging- 


Fig.  1 .  Nf  frequency  and  Nc  code  channels  available. 

unit  IEDs  in  a  substation  can  send  data  of  sampled  power 
signal  quality  at  various  rates  of  960-4,800  messages/, 
dependent  on  configuration  [19].  Thus,  we  assume  that 
there  are  heterogeneous  traffic  loads  in  network 
J\T(m,Nf,Nc);  i.e.,  node  i  has  a  constant  traffic  load  of  A* 
messages/ s  (i  E  {1,2,...,  m})  in  the  network. 

2.3  Communication  and  Interference  Models 

2. 3. 1  Protocol  Processing 

In  the  smart  grid,  to  ensure  in-time  monitoring  and  control 
of  power  devices,  a  large  amount  of  communication  mes¬ 
sages  have  stringent  timing  requirements.  For  example, 
substation  applications  have  3-500  ms  delay  constraints  for 
message  delivery  [14].  We  refer  to  such  messages  as  time- 
critical  messages.  The  nature  of  time-critical  messages  indi¬ 
cates  that  they  should  be  immediately  transmitted  and 
avoid  being  buffered.  For  example,  time-critical  messaging 
in  substation  communications  [14]  features  a  simple  trans¬ 
mission  mechanism  at  the  application  layer:  bypass  TCP 
and  retransmit  the  same  message  multiple  times  to  ensure 
timely  delivery  and  reliability.  Thus,  we  also  adopt  such  a 
mechanism  at  the  application  layer  of  each  node. 

When  a  message  is  passed  from  the  application  layer  to 
the  MAC  layer,  traditionally,  CSMA/CA  is  used  to  sense 
the  channel  activity  before  sending  the  message.  However, 
CSMA/CA  is  primarily  designed  for  one-channel  networks, 
and  may  not  be  efficient  in  spread  spectrum  systems.  In  net¬ 
work  A f(m,Nf,Nc),  the  wireless  channel  is  separated  into 
Nf  frequency  and  Nc  code  channels.  Such  channels  can  be 
considered  orthogonal  to  each  other  [20].  Even  if  there  are 
multiple  wireless  transmissions  over  the  same  frequency 
channel,  they  will  be  successfully  decoded  at  receivers  as 
long  as  they  use  distinct  code  channels.  CSMA/CA, 
which  defers  a  transmission  after  sensing  activity  on  a 
frequency  channel,  may  unintentionally  degrade  the  delay 
performance. 

Thus,  we  assume  that  when  the  MAC  layer  receives  a 
message  from  upper  layers,  it  will  directly  transmit  the  mes¬ 
sage  on  a  frequency-code  channel  pair,  denoted  as  the 
(z,  j)th  channel  shown  in  Fig.  1.  Since  the  application  layer 
will  retransmit  the  message  multiple  times,  the  MAC  layer 
will  assign  a  distinct  frequency-code  channel  to  each 
retransmission. 

To  correctly  decode  the  message,  the  receiver  must  reside 
on  the  same  frequency-code  channel  used  by  the  sender. 
However,  the  receiver  may  or  may  not  have  the  information 
of  the  sender's  channel  assignment,  which  leads  to  distinct 
communication  modes  between  the  sender  and  receiver.  In 
what  follows,  we  will  consider  extensively-used  models  in 
the  literature. 
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2.3.2  Secret  Communications  and  Key  Establishment 
As  mentioned  previously,  two  communicators  may  or  may 
not  share  a  common  secret  channel  assignment  (the  key) 
with  each  other.  If  they  do  share  a  key,  receiver  can  synchro¬ 
nize  with  the  sender's  frequency-code  channel  switching, 
which  is  called  coordinated  communication  mode.  In  this 
mode,  we  assume  that  for  a  sender-receiver  pair,  each  chan¬ 
nel  assignment  is  uniformly  distributed  over  all  NfNc  selec¬ 
tions  such  that  the  chance  of  potential  channel  collision 
among  legitimate  nodes  is  minimized. 

Coordinated  communication  happens  only  when  two 
communicators  share  a  secret  unknown  to  others.  However, 
they  initially  may  not  have  such  a  secret.  In  fact,  it  is  com¬ 
monly  adopted  (e.g.,  [8],  [10],  [11])  that  they  share  no  secret 
key  before  they  attempt  to  communicate.  Then,  how  to 
establish  a  key  before  they  use  it  to  communicate  coordinat- 
edly?  To  solve  the  question,  a  wide-adopted  solution  (e.g., 
[8],  [10],  [11])  is  uncoordinated  communication  mode,  which  is 
shown  as  follows. 

First,  assume  that  the  two  communicators  can  always 
verify  each  other's  authenticity  (e.g.,  their  public  keys  are 
open  to  everyone).  Every  packet  transmitted  by  the  sender 
is  digitally  signed  by  the  sender's  private  key.  Then,  the 
receiver  can  use  the  sender's  public  key  to  verify  if  a  packet 
is  indeed  sent  by  the  real  sender. 

Second,  the  sender  keeps  sending  the  key  information  to 
a  randomly  selected  frequency /code  channel.  The  informa¬ 
tion  is  encrypted  (e.g.,  using  the  receiver's  public  key)  such 
that  it  is  only  decodable  to  the  real  receiver.  At  the  same 
time,  the  receiver  randomly  chooses  a  channel  to  listen  on. 
When  the  sender  and  receiver  reside  on  the  same  channel, 
the  key  information  can  be  successfully  delivered,  thereby 
finishing  the  key  establishment. 

After  the  key  establishment,  the  sender  and  receiver 
have  shared  a  common  secret  key,  so  they  can  use  the  key 
to  communicate.  We  can  see  that  although  uncoordinated 
communication  looks  less  efficient,  it  is  still  essential  to 
achieve  coordinated  communication.  As  a  result,  both 
uncoordinated  and  coordinated  modes  are  vital  for  secur¬ 
ing  jamming-resilient  communications. 

Since  channel  selection  is  random  in  the  uncoordinated 
mode,  we  adopt  the  uniform  selection  strategy  [21],  in 
which  both  sender  and  receiver  uniformly  choose  channels 
to  transmit  and  receive,  respectively. 

2. 3. 3  Interference  Model 

In  coordinated  mode,  the  sender  and  receiver  have  the  com¬ 
mon  knowledge  of  the  secret  channel  assignment,  and  can 
synchronize  with  each  other.  The  transmission  on  a  channel 
fails  only  when  it  is  disrupted  by  jamming  or  other  trans¬ 
missions  at  the  same  channel.  Thus,  we  assume  that  for 
coordinated  communication,  the  message  delivery  on  the 
(i,  j)th  channel  fails  when  at  least  one  of  the  following  two 
events  holds:  1)  at  least  a  portion  p  (0  <  p  <  1)  of  the  trans¬ 
mission  is  disrupted  by  jamming  on  the  (i,j) th  channel; 
2)  at  least  a  portion  p  of  the  transmission  collides  with  other 
legitimate  traffic  on  the  (i,  j) th  channel. 

For  uncoordinated  mode,  message  delivery  failure  can  be 
caused  by  not  only  jamming  or  other  transmissions  on 
the  same  channel,  but  also  the  channel  selection  mismatch 


between  the  sender  and  receiver.  Therefore,  we  assume  that 
the  message  delivery  with  duration  Tl  on  the  (i,j) th  chan¬ 
nel  fails  if  at  least  one  of  the  following  holds:  1)  at  least  a 
portion  p  of  the  transmission  is  disrupted  by  jamming  on 
the  (i,  j)  th  channel;  2)  at  least  a  portion  p  of  the  transmission 
collides  with  other  legitimate  traffic  on  the  (i,j) th  channel; 
3)  During  the  message  transmission,  the  receiver  resides 
on  the  (i,j) th  channel  for  a  time  duration  smaller  than 
(1  -  p)TL. 

Note  that  the  value  of  p  varies  in  practice,  depending  on 
error  correction  coding.  For  example,  the  standard  (255,223) 
Reed-Solomon  code  is  used  in  the  transmission,  it  is  capable 
of  correcting  up  to  16  bit  errors  among  every  223  informa¬ 
tion  bits  [9],  resulting  in  p  «  7.1  percent. 

2.4  Generic  Jamming  Model 

The  objective  of  a  jammer  is  to  broadcast  interference  to  dis¬ 
rupt  messages  as  many  as  possible  in  network 
A f(m,Nf,Nc).  As  the  network  has  multiple  channels,  the 
jammer  can  adopt  a  wide  range  of  strategies.  In  the  litera¬ 
ture,  there  are  two  major  jamming  types  in  terms  of  jam¬ 
ming  behavior:  non-reactive  and  reactive  models  [7],  [8], 
[9],  [10],  [11].  Non-reactive  jammers  transmit  radio  interfer¬ 
ence  by  following  their  own  strategies.  Reactive  jammers 
transmit  interference  only  when  they  sense  any  activity  on  a 
wireless  channel.  In  addition,  a  jammer  can  either  target  a 
single  frequency-code  channel  or  have  the  ability  to  attack 
multiple  channels  at  the  same  time.  In  this  paper,  we 
assume  that  the  jammer  has  the  knowledge  of  the  pool  of 
candidate  channels  used  in  the  network,  and  attempt  to 
choose  the  best  strategy  to  attack  one  or  some  of  the  chan¬ 
nels  and  lead  the  worst-case  attack.  In  order  to  adopt  vary¬ 
ing  strategies  the  jammer  can  use,  we  define  a  generic 
process  to  accommodate  various  jamming  behaviors  and 
models  in  the  literature. 

Definition  1  (Generic  Jamming  Process).  A  jamming  attack 
can  be  represented  as  a  Markov-renewal  process 

((F,C),X)**{(Fk,Ck),Xk  |^1,2,...}, 

where  Xk  is  the  renewal  interval  representing  the  jamming 
duration  at  the  kth  state ,  denoted  by  (Tk,Ck) m  {(Ffc,*, 
(7^)}-G[i  s],  the  set  of  frequency  and  code  channels  targeted  by 
the  jammer ,  (Fkj,Ck,i)  a  particular  frequency  and  code 
channel ,  and  s  is  the  number  of  channels  the  jammer  can  attack 
simultaneously.  The  embedded  transition  matrices  associated 
with  states  (Xk,Ck)  are  denoted  as  Qf  and  Qc,  respectively. 
When  the  jamming  is  non-reactive ,  ((T7,  C),X)  is  assumed  to 
be  a  continuous  Markov  process.  When  the  jamming  is  reac¬ 
tive,  Xk  =  r  +  SklA,2  where  z  is  the  constant  channel  sensing 
time,  Sk  is  the  duration  of  the  jamming  signal,  A  denotes  the 
event  that  at  least  one  channel  in  set  (Tk,  Ck)  is  sensed  busy. 

Remark  1.  The  generic  jamming  process  can  characterize 
both  non-reactive  and  reactive  jamming  behaviors.  In 
addition,  it  also  models  jammers  that  can  attack  s  >  1 
frequency-codechannels  at  the  same  time.  Thus,  the 
generic  model  defined  in  Definition  1  can  represent  a 

2.  1a  denotes  the  indicator  function,  which  has  the  value  1  for  A  and 
the  value  0  for  Ac. 
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control.  As  a  result,  the  smart  grid  traffic  features  a  simpler 
retransmission  mechanism  without  congestion  control.  In 
addition,  we  will  show  that  we  can  take  advantage  of 
the  unsaturated  nature  of  smart  grid  traffic  to  design 
countermeasures . 

Next,  we  use  theoretical  analysis  to  show  the  worst-case 
delay  performance  under  jamming  attacks. 


Fig.  2.  Jamming  strategies  due  to  state  transitions. 


3  Theoretical  Analysis 


wide  range  of  existing  jamming  models  and  strategies  in 
the  literature.  For  example,  consider  a  simple  network 
with  four  frequency  channels  in  the  presence  of  a  jammer 
that  can  attack  only  one  frequency  channel  at  the  same 
time.  If  the  jammer's  transition  matrix  Qj  is  the  4x4 
identity  matrix  with  state  transitions  shown  in  Fig.  2a, 
every  state  is  an  absorbing  state  and  the  process  repre¬ 
sents  continuous  jamming  on  a  particular  channel  [7]. 
Similarly,  Figs.  2b  and  2c  represent  sweeping  jamming 
[22]  and  uniformly-distributed  jamming,  respectively. 

As  we  can  see  in  the  Markov-renewal  model,  {Xk}  and 
{{Xk,  Ck)}  can  directly  reflect  when  a  certain  set  of  channels 
is  affected  by  the  jamming  attack,  and  matrices  Q f  and  Qc 
can  model  what  the  jamming  strategy  is. 

2.5  Problem  Formulation 

The  primary  goal  of  smart  grid  communication  is  to 
achieve  timely  monitoring  and  control  for  power  control 
applications.  Therefore,  the  delay  performance  is  of  critical 
importance  in  the  smart  grid.  A  time-critical  message 
becomes  invalid  as  long  as  its  message  delay  D  is  greater 
than  its  delay  constraint  a.  As  a  result,  we  focus  on  how  to 
minimize  the  message  invalidation  probability  P (D  >  a) 
in  network  A I  (m,  Nf ,  Nc)  under  the  generic  jamming  pro¬ 
cess  ((F,C),X). 

It  is  worth  noting  that  there  are  two  opposites  in  the  net¬ 
work:  the  network  operator  always  attempts  to  minimize  the 
message  delay;  in  contrast,  the  jammer  always  intends  to 
maximize  the  message  delay.  The  lowest  bound  of  the  mes¬ 
sage  delay  is  always  achieved  when  there  exists  no  jammer 
or  a  naive  jammer.  As  the  NIST  requires  smart  grid  opera¬ 
tions  must  continue  under  any  potential  attack,  we  adopt  a 
worst-case  methodology  to  study  the  problem  of  minimizing 
message  delay  in  the  smart  grid  under  jamming  attacks: 

1.  In  wireless  local-area  network  Af(m,Nf,Nc),  for  a 
time-critical  application  with  delay  threshold  o, 
what  is  the  worst-case  delay  performance  P [D  >  a ) 
under  the  generic  jamming  process  ((JF,  d),  X). 

2.  Given  the  worst-case  scenario  in  Step  1,  how  to  mini¬ 
mize  P (D  >  cr). 

There  has  been  existing  work  addressing  denial-of-service 
attacks  on  multimedia  traffic  (e.g.,  [23],  [24]).  We  note  that 
the  differences  between  smart  grid  traffic  and  multimedia 
traffic  are:  1)  smart  grid  traffic  is  more  time-critical  (e.g., 
3  ms  requirement  in  GOOSE  compared  with  around  100  ms 
requirement  for  multimedia),  2)  time-critical  traffic  is  period¬ 
ical,  unsaturated  (i.e.,  the  traffic  load  smaller  than  the  net¬ 
work  bandwidth)  in  the  smart  grid,  and  multimedia  traffic 
is  usually  saturated  and  requires  adequate  congestion 


In  this  section,  we  theoretically  analyze  the  worst-case  delay 
performance  for  wireless  smart  grid  applications  under  the 
generic  jamming  model.  We  first  consider  the  worst  case  in 
coordinated  communication,  then  the  worst  case  in  uncoor¬ 
dinated  communication.  Finally,  we  propose  a  method  to 
minimize  the  worst-case  delay  for  both  coordinated  and 
uncoordinated  modes. 


3.1  Jamming  against  Coordinated  Mode 

Our  goal  is  to  find  the  jamming  attack  that  maximizes 
P (D  >  cr)  such  that  we  can  identify  the  worst-case  attack 
targeting  wireless  smart  grid  applications.  As  our  generic 
jamming  process  characterizes  both  non-reactive  and  reac¬ 
tive  jammers,  we  provide  analytical  results  of  their  impacts 
on  P (D  >  a),  respectively. 

Lemma  1  (Non-Reactive  Jamming).  In  wireless  local-area  net¬ 
work  Af(m ,  Nf ,  Nc)  in  the  presence  of  a  non-reactive  jamming 
process  {{T,C),X}  with  ability  to  attack  s  channels  simulta¬ 
neously ,  the  message  delay  Dk  of  a  time-critical  application  at 
node  k  satisfies 


P (Dk  >  o) 


< 


(L _ 1  \gL(l-P)>Y  (1-p)8\ 

V  N}Nc)  V  pNfNc ) 


°/TL 


(1) 


where  Tl  is  the  message  transmission  duration ,  cr  is  the  mes¬ 
sage  delay  threshold ,  yk  =  Y/Jj=i^k  -V  an&  \  the  traffic 
rate  at  node  j. 

Proof.  Without  loss  of  generality,  assume  that  node  1  trans¬ 
mits  a  message  with  delay  threshold  a  and  duration  Tl. 
The  application  layer  can  transmit  the  message  at  most 
[ct/Tl  J  times  (for  the  sake  of  simplicity,  we  in  the  follow¬ 
ing  assume  that  ct/Tl  is  an  integer,  i.e.,  [ct/Tl\  =  ct/Tl, 
which  does  not  affect  the  derivation  of  our  main  results). 
Among  all  ct/Tl  transmission  attempts,  the  ith  one  uses 
the  (ui,Vi) th  channel  (1  <  i  <  ct/Tl). 

The  message  invalidation  probability  P (D\  >  a)  is 
equal  to  the  probability  that  all  ct/Tl  transmission 
attempts  are  disrupted  by  either  collision  or  jamming,  i.e., 

p (A.  >  or)  =  p(n °liL ( Ji  U  Cj) ,  (2) 


where  Ci  and  Ji  denote  the  events  that  the  ith  transmis¬ 
sion  is  disrupted  by  collision  and  jamming,  respectively. 

First,  we  derive  the  collision  probability  P(Q).  Sup¬ 
pose  that  node  l's  ith  transmission  starts  at  time  0,  a  colli¬ 
sion  that  can  successfully  disrupt  node  l's  transmission 
will  happen  if  another  node  makes  a  transmission 
attempt  during  period  [(p  -  1)TL,  (1  -  p)TL\  and  at  the 
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same  time  uses  the  same  channel.  Since  all  nodes  have 
constant  traffic  rates,  there  are  2(1  —  p)7L  Y^=  2  Aj  trans_ 
missions  at  other  nodes  that  can  possibly  disrupt  node 
l's  transmission.  As  the  frequency-code  channel  for  each 
transmission  in  the  network  is  uniformly  assigned 
among  all  NfNc  selections,  the  collision  probability  is 
equal  to  the  probability  that  there  is  at  least  one  other 
transmission  colliding  with  node  l's  ith  transmission, 
which  can  be  written  as 


P(Ci)  =  1  -  (1  -  l/(NfNc))2{1  p)TlYi,  (3) 
where  y,  =  EJI2  V 

Then,  we  compute  the  jamming  probability  P  («/*).  The 
jamming  process  {(X,  C),X}  has  renewal  intervals  {X/}. 
Let  Ni  represent  how  many  times  the  jammer  makes  a 
state  transition,  and  we  have  Ni  =  supne^{Yffi=iXi  < 
(1  -  p)TL},N  =  {0,1,2,...},  where  Xh...,XNi  are  jam¬ 
ming  intervals  during  the  ith  transmission.  In  order  to 
disrupt  the  ith  transmission  (i.e.,  J,  holds),  the  sum  of 
jamming  intervals  on  the  (i,j)th  channel  must  be  larger 
than  the  threshold  pTE  Letting  Bi  be  the  event  that  the 
Ith  interval  with  length  Xi  hits  the  (i^,  Vi)'th  channel  (i.e., 
Bi  =  {m  e  Fh  Vi  e  Ci}),  we  obtain 


Nf 


P(Ji|«i,u<)  =  p  J2Xi1b  1  ^  PTl  <  E  /(pTL) 


1=1 


1=1 


=  E(Nl)E(Xl)F(Bl)/(pTL), 


(4) 


where  the  last  equality  and  inequality  follows  from 
Wald's  equation  and  Markov's  inequality  respectively, 
E (Ni)  5=  (1  —  p)Tl/E(Xi)  and  P (Bf)  denotes  the  probabil¬ 
ity  that  the  jamming  hits  the  (ui:Vi)th  channel.  Since 
(uijVi)  is  uniformly  assigned,  it  follows  from  (4)  that 

Nf  Nc 

P (Ji)  <  EE  E(W)E(X/)P(^)/(P^)/(X/AC) 

p=l  q=  1  (5) 

<  (i  z  p^Tle(x)  s  1 

-  E(XZ)  1  1  NfNc  pTL  pNfNc 

Finally,  combining  (2),  (3)  and  (5)  finishes  the  proof.  □ 
Next,  we  present  our  results  on  reactive  jamming. 

Lemma  2  (Reactive  Jamming).  In  wireless  local-area  network 
Af(m,Nf,Nc)  in  the  presence  of  a  reactive  jammer 
{(JF,  C),  X}  that  has  sensing  time  z  and  can  attack  s  channels 
simultaneously ,  for  a  time-critical  application  at  node  k,  its 
message  delivery  delay  Dk  satisfies 


Proof.  Similar  to  the  proof  for  Lemma  1,  assume  that  node  1 
transmits  a  message  with  delay  threshold  a.  The  trans¬ 
mission  resides  at  the  (n^^)th  channel  for  the  ith 
attempt.  To  find  P(F>i  >  o),  we  first  need  to  compute 
both  collision  and  jamming  probabilities,  P(Q)  and 
P (Ji).  As  P (Ci)  is  given  in  (3),  we  in  the  following  com¬ 
pute  P  (Ji). 

For  the  sake  of  simplicity,  assume  that  the  ith  trans¬ 
mission  starts  at  time  0.  Define  a  renewal  process 
Ni(t)  =  supn6N{E"=i  Xi  <  t},N  =  {0,1,2, ...}.  Then  Xu 
X2, . . . ,  XN.(p  are  renewal  intervals  during  period  [0 ,£]. 
Different  from  non-reactive  jamming,  reactive  jamming 
has  renewal  intervals  Xi  —  z  +  SAa,  where  A  denotes 
the  event  that  a  channel  is  sensed  with  activity,  and  Si  is 
the  jamming  duration.  To  maximize  its  damage  to  the 
network,  the  reactive  jammer  should  always  set  the  jam¬ 
ming  duration  Si  to  be  pTE  This  means  that  when  the 
jammer  senses  a  transmission,  it  always  chooses  the  min¬ 
imum  effective  jamming  duration  to  disrupt  the  trans¬ 
mission  such  that  it  can  immediately  move  on  to  sense 
and  jam  other  channels.  Thus,  we  choose  Si  =  pTl. 

In  order  to  successfully  disrupt  the  ith  transmission 
(e.g.,  Ji  holds),  the  reactive  jammer  must  switch  to  the 
(ui,Vi) th  channel  at  least  once  during  [0,  (1  -  p)7T  -  r]. 
Let  event  .5=  {u{  e  Ti  v{  e  Ci}.  Then,  P(  J;|^,  v*)  m 
P(E£i((1_P)Tl_T)  >  1)-  Using  similar  procedures  in  (4) 

and  (5),  we  have 

P (Ji)  <  E(iVi((l  -  p)TL  -  z)s/ (NfNc).  (7) 

To  obtain  E(7V*((1  -  p)TL  -  r),  we  first  have  from  the  ele¬ 
mentary  renewal  theorem 

lim  E(Ni(t))/t  —  1/E(X/),  (8) 

t— >  00 

where  E(XZ)  —  z  +  pTLF(A),  P(A)  is  the  probability 
that  a  channel  is  sensed  busy  and  P(A)  =  1  —  (1  —  1/ 
(TV 'fNc))^1~p^TLYl .  Then,  it  is  reasonable  to  assume  that 
sensing  time  r  <Tl  and  renewal  interval  E  (X/)  <C  Tl 
since  power  networks  always  have  unsaturated  traffic 
loads  [3],  [14]  for  timely  monitoring  and  control. 
Thus,  from  (8),  E(7V*((1  -  p)TL  -  z)  can  be  approxi¬ 
mated  as 


E(X,((l-p)TL-r)) 


(1  -  p)Tl  -  r 


E(X,) 


(1  -  P)Tl 


+  pTl  pTl  (1  NfNc) 


(1  -  p)Tl 
E(Ii) 

(1  -P)TL 

'  p(i-p)T|n  ’ 
x  f  NfNc 

(9) 


P (Dk  >  cr) 


< 


1  \2Tl(1  -/>)n 

nJnJ 


sT. 


Z-N  +  PTlYk) 


(6) 


where  Tl  is  the  message  transmission  duration ,  a  is  the  mes¬ 
sage  delay  threshold ,  yk  m  Y^=\^k  A p  and  A j  is  the  traffic 
rate  at  node  j. 


The  last  approximation  follows  from  the  fact  that 
(1  —  x)a  «  1  -  ax  for  small  x.  From  (7)  and  (9),  we  obtain 


P (Ji)  < 


(1  -  p)sTl 

xNfNc  +  p(l  —  p)T‘lyl ' 


(10) 


Combining  (2),  (3)  and  (10)  completes  the  proof.  □ 

Based  on  Lemmas  1  and  2,  we  then  show  that  reactive 
jamming  in  general  leads  to  the  worst-case  delay  perfor¬ 
mance,  thereby  maximizing  the  damage  to  the  network. 
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Fig.  3.  Coordinated  communication:  worst-case  delay  performance 
P (Dk  >  a)  versus  aggregate  traffic  yk  at  node  k  for  time-critical  applica¬ 
tions  with  delay  thresholds  of  3-9  ms.  (Nf  =  Nc  =  10,  TL  =  1  ms, 
p  =  0.1,  and  r  =  1  /zs.) 


Theorem  1  (Worst-case  delay  in  coordinated  mode).  For 

wireless  local-area  network  Af(m,Nf,Nc)  under  coordinated 
communication ,  the  worst-case  delay  performance  at  node  k  is 
induced  by  reactive  jamming  with  sensing  time  r  sufficiently 
small.  Specifically ,  the  message  delay  Dk  satisfies 


P (Dk  >  a) 


<1-1- 


1 


NfNc 


2TL(l-p)yk 


1  - 


sTt 


°/TL 


xNj-Nc 

—  ^ pT2LYk 


1  ~P 


(11) 


where  TL  is  the  message  transmission  duration ,  o  is  the  mes¬ 
sage  delay  threshold ,  yk  =  i,j^k  an&  A?  zs  the  traffic 
rate  at  node  j. 

Proof.  Comparing  (1)  with  (6),  it  suffices  to  show 


(1  -  p)sTl  >  a 
vNfNc  +  p(l  —  p)Tfyk  —  pN/Nc  ’ 

which  is  equivalent  to 


(12) 


t  <PTL~  P(  1  -  p)T2Lyk/(NfNc).  (13) 


In  order  for  (13)  to  hold  for  r  sufficiently  small,  it  suffi¬ 
ces  to  show  that  the  right-hand  side  of  (13)  is  larger  than 
0,  i.e.,  pTL  —  p(  1  —  p)Tlyk/ ( NfNc )  >  0.  Let  y  be  the  over¬ 
all  message  rate  in  the  network  and  B  be  the  maximum 
bit  rate  supported  by  each  sub-channel.  Then,  a  single 
message  includes  TlB  bits,  and  the  overall  network  traf¬ 
fic  rate  (in  terms  of  bits/s)  can  be  written  as  f  =  TLBy, 
which  is  smaller  than  the  overall  channel  bandwidth 
NfNcB.  In  other  words,  we  have  r  m  TLBy  <  NfNcB,  i.e., 
TLy  <  NfNc.  Since  it  always  holds  that  yk  <  y,  we  have 
TLyk  <  NfNc  and 


pTl  ~  (p(  1  -  p)Tfyk)/ (NfNc)  >  pTl  -  p(  1  -  p)TL  >  0, 

(14) 


which  finishes  the  proof. 


□ 


sensing 


1st  jammed  2nd  jammed 


(a) 


1st  jammed  2nd  delivered 


(b) 


Fig.  4.  Message  delivery  under  reactive  jamming. 


Remark  2.  Theorem  1  shows  that  reactive  jamming  with 
sensing  time  r  sufficiently  small  will  induce  the  worst- 
case  performance.  Theoretically,  we  can  always  assume 
that  r  is  arbitrarily  small  and  consider  reactive  jamming 
as  the  worst  case.  Will  reactive  jamming  do  so  in  prac¬ 
tice?  The  essence  of  the  question  is  how  small  r  can  be 
for  a  practical  jammer.  Taking  a  closer  look  at  (13),  we 
find  that  the  right-hand  side  can  be  approximated  as  pTL 
when  the  pool  of  channel  selections  is  large  (i.e.,  NfNc  is 
large),  which  is  true  for  an  effective  anti-jamming  system. 
This  indicates  that  reactive  jamming  is  more  harmful 
than  non-reactive  jamming  when  r  is  smaller  than  the 
minimum  jamming  duration  pTL.  It  has  been  shown  that 
r  can  be  designed  very  small,  depending  on  implementa¬ 
tion;  while  pTl  should  be  kept  relatively  large  to  effec¬ 
tively  disrupt  a  transmission.  For  example,  a  software- 
defined  radio  based  jammer  [25]  needs  20  /xs  to  sense  an 
802.15.4  transmission  and  send  jamming  signals  for  at 
least  26  /xs  to  disrupt  the  transmission.  Such  a  sensing 
time  can  be  further  shorten  with  a  hardware  implemen¬ 
tation  instead  of  a  software  implementation,  which  dem¬ 
onstrates  that  r  is  indeed  smaller  than  pT^  in  practice. 
Therefore,  it  is  reasonable  to  consider  reactive  jamming 
as  the  worst  case  both  theoretically  and  practically. 

Fig.  3  shows  an  example  of  the  worst-case  message  inval¬ 
idation  probabilities  induced  by  both  non-reactive  (1)  and 
reactive  jamming  (6)  for  time-critical  applications  at  node  k. 
We  can  see  that  reactive  jamming  always  leads  to  worse 
delay  performance  than  non-reactive  jamming,  and  that  the 
delay  performance  at  node  k  also  depends  on  the  aggregate 
traffic  load  yk.  An  interesting  observation  from  Fig.  3  is  that 
in  the  reactive-jamming  case,  the  message  invalidation 
probability  is  not  minimized  at  y*k  —  0.  Instead,  it  is  mini¬ 
mized  at  a  fairly  large  value  y\  ^  38  kilo-messages/ s. 

Fig.  3  illustrates  that,  interestingly,  the  worst-case  delay 
(caused  by  reactive  jamming)  is  in  fact  a  U-shaped  (first- 
decreasing  then-increasing)  function  of  traffic  load  yk. 
This  is  due  to  the  sensing  and  reacting  nature  of  reactive 
jamming.  Consider  a  simple  example:  Fig.  4a  shows  two 
transmissions  of  a  message  by  node  1  with  two-channel 
frequency-hopping.  If  there  is  no  other  traffic,  by  scanning 
the  two  channels  alternately,  a  reactive  jammer  can 
always  sense  and  jam  both  transmissions.  If  node  2  is  also 
transmitting  as  shown  in  Fig.  4b,  the  jammer  can  also 
sense  and  attempt  to  disrupt  node  2's  transmission.  Then, 
there  is  a  chance  that  node  l's  message  can  be  delivered 
during  the  time  that  the  jammer  is  jamming  node  2's 
transmission.  Thus,  fairly  increasing  network  traffic  load 
can  in  fact  improve  the  delay  performance  under  reactive 
jamming.  On  the  other  hand,  the  over-increase  of  traffic 
will  surely  decrease  the  performance  since  transmissions 
have  a  high  probability  to  collide  with  each  other.  Hence, 
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there  should  be  an  optimal  traffic  load  such  that  the 
worst-case  message  delay  can  be  minimized. 

In  the  following,  we  show  theoretically  that  there  exists  a 
traffic  load  y\  to  minimize  the  worst-case  message  invalida¬ 
tion  probability  for  node  k  in  the  network. 

Theorem  2  (Optimal  load  in  coordinated  mode).  In  wireless 
network  N(m ,  Nf,  Nc),  node  k's  worse-case  message  invalida¬ 
tion  probability  (11)  in  coordinated  communication  is  mini¬ 
mized  at 


*  1  / cic2  -  y/44  ~4cic2pTL 

^ - 

where  c\  =  2  ln(l  -  1  /(NfNc))  and  c2  =  (1  —  p)TL. 

Proof.  It  is  equivalent  to  show  that  y\  maximizes  the  follow¬ 
ing  function: 

f(v  x  =  A _ M2T L{1~P)n  (^  (j  -  AL  A 

RYk)  V  NfNe)  {  xNfNc  +  p(l  —  p)T^Yk ) 

(15) 

Letting  Vy*f(y*k)  =  0  results  in  a  quadratic  equation 

ciw2  -  cic2w  +  c2pTL  0,  (16) 


where  c\  =  2  ln(l  -  l/(NfNc)),  c2  =  (1  —  p)TLf  and 

w  =  TNfNc  +  p(l-p)Tlyl.  (17) 

Solving  equation  (16)  for  w  yields 

w  =  (c!C2  -  -4c1c2/oT£^/(2ci).  (18) 

Combining  (17)  with  (18)  completes  the  proof.  □ 

Remark  3.  Theorem  2  shows  that  there  indeed  exists  a 
unique  traffic  load  y*k  for  node  k  to  minimize  its  worst- 
case  delay,  and  that  y\  is  independent  of  the  delay 
threshold  a,  which  can  be  also  observed  in  Fig.  3.  Thus, 
the  delay  of  messages  with  different  delay  thresholds 
can  be  all  minimized  at  the  same  optimal  traffic  load. 


3.2  Jamming  against  Uncoordinated  Mode 

So  far,  we  have  derived  the  theoretical  results  of  the  worst- 
case  jamming  impact  on  coordinated  communication,  which 
is  used  for  IED  communication  in  normal  operations  in  the 
smart  grid.  We  show  that,  interestingly,  there  indeed  exists 
a  unique  traffic  load  for  a  node  to  minimize  its  worst-case 
delay.  In  the  following,  we  present  the  theoretical  results  on 
uncoordinated  communication,  which  can  be  used  for  key 
establishment  between  IEDs.  Similar  to  Section  3.1,  our  goal 
is  to  find  out  the  worst  case  performance,  P (D  >  a),  for 
uncoordinated  communication  under  both  non-reactive  and 
reactive  jamming  attacks. 

Theorem  3  (Worst  case  delay  in  uncoordinated  mode).  For 

wireless  local-area  network  N(m,Nf,Nc)  under  uncoordi¬ 
nated  communication ,  the  worst-case  delay  performance  at 
node  k  is  induced  by  the  reactive  jamming  with  sensing  time  r 


sufficiently  small.  Specifically ,  the  message  delay  Dk  satisfies 
P (Dk  >  a) 

_  /  (NfNc  - 1 fTii1-P)yk  (  stl  \ 

(19) 

where  TL  is  the  message  transmission  duration ,  a  is  the  mes¬ 
sage  delay  threshold ,  yk  =  Y^jLtj^k  an&  \  zs  th e  traffic 
rate  at  node  j. 

Proof.  Without  loss  if  generality,  assume  that  node  1  attempts 
to  transmit  a  message  with  duration  Tl  to  node  2  using 
the  uncoordinated  mode,  in  which  nodes  1  and  2  uni¬ 
formly  choose  a  frequency-code  channel  to  transmit  and 
receive,  respectively.  They  switch  channels  from  time  to 
time.  For  the  sake  of  simplicity,  the  time  is  partitioned 
into  time  slots  with  length  Tl .  The  sender  and  receiver 
switch  their  channels  at  the  beginning  of  each  time  slot. 
Assume  that  for  the  ith  delivery  attempt  (1  <  i  <  g/Tl), 
nodes  1  and  2  reside  at  the  (u^,^)th  channel  and  the 
(di,ei) th  channel,  respectively. 

The  message  invalidation  probability  is  written  as 

p (A  >  a)  =  p(n aJgL (Ci  U  Jt  U  Mi)) ,  (20) 

where  C-L  and  Ji  denote  the  events  that  the  ith  transmis¬ 
sion  is  disrupted  by  collision  and  jamming,  respectively; 
and  Mi  denotes  the  event  that  there  is  a  channel  mis¬ 
match  between  the  sender  and  receiver,  i .e.,  M*  =  / 

d%\  U  \yi  7^ 

To  find  P(T>i  >  a),  we  need  to  compute  the  colli¬ 
sion  probability  P(Q),  jamming  probability  P(Ji),  and 
the  mismatch  probability  P(M*),  respectively.  Since 
we  have  already  obtained  P(Ci)  in  (3),  as  well  as 
P(Jf)  in  (5)  and  (10)  under  non-reactive  and  reactive 
jamming  attacks,  we  in  the  following  derive  P{Mf), 
which  is  the  probability  that  node  1  does  not  reside  at 
the  same  channel  as  node  2,  i.e.,  either  Ui  /  d{  or 
Vi  ^  Si.  We  have 


P (Mi)  =  P({u*  /  di]  U  {Vi  /  ej)  =  1  -  l/(NfNc).  (21) 


With  (20),  (21),  (3),  (5)  and  (10),  using  similar  proce¬ 
dures  in  Theorem  1,  we  get  P (D  >  a)  satisfies  (19).  □ 

Fig.  5  shows  an  example  of  the  worst-case  message 
invalidation  probabilities  for  a  time-critical  application  in 
both  coordinated  and  uncoordinated  modes.  It  is  observed 
that  similar  to  coordinated  communication,  the  worst-case 
message  invalidation  probability  in  uncoordinated  com¬ 
munication  exhibits  U-shaped  curves  in  Fig.  5,  indicating 
that  the  delay  performance  in  uncoordinated  communica¬ 
tion  also  depends  on  the  aggregate  traffic  load  yk,  and  can 
be  minimized  by  optimizing  yk.  However,  the  delay  per¬ 
formance  in  uncoordinated  communication  is  substantially 
worse  than  that  in  coordinated  communication.  This  is  due 
to  the  opportunistic  nature  of  uncoordinated  communica¬ 
tion:  the  sender  and  receiver  have  to  randomly  select  chan¬ 
nels  to  transmit  and  receive,  respectively.  Fig.  5  implies 
that  in  general,  uncoordinated  communication  should  not 
be  used  for  time-critical  message  delivery. 
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Fig.  5.  Uncoordinated  communication:  worst-case  P (Dk  >  or)  versus  yk 
with  delay  thresholds  of  10  and  30  ms.  (7^=10,  Nc=2,  TL= 1  ms,  p=0.1 , 
and  r  =  1  /is.) 


Another  observation  in  Fig.  5  is  that  the  message  invalida¬ 
tion  probability  is  always  minimized  at  the  same  traffic  load 
regardless  of  communication  modes.  For  example,  we  can 
see  that  the  probabilities  for  all  four  cases  in  Fig.  5  are  all  min¬ 
imized  at  yk~19  kilo-messages /s.  This  shows  that  if  we  have 
the  same  setups  in  a  wireless  network,  there  exists  one  opti¬ 
mal  traffic  load  for  a  node  to  minimize  its  message  invalida¬ 
tion  probability  in  both  coordinated  and  uncoordinated 
communications,  which  is  formally  proved  in  the  following. 

Theorem  4  (Optimal  load  in  uncoordinated  mode).  In  a  net¬ 
work  with  setups  stated  in  Theorem  2,  the  optimal  load  y\  in 
coordinated  mode  also  minimizes  the  message  invalidation 
probability  in  uncoordinated  mode. 

Proof.  For  uncoordinated  communication,  in  order  to  mini¬ 
mize  (19)  (as  a  function  of  yk),  it  is  equivalent  to  find  the 
value  of  yk  to  maximize  function 


_  (NfNc  -  1  )TL(l~P)Yk 

9{n)  ~  (NfNjw-'y** 

=  f(Yk)/(NfNc), 


(i  -  p)s  \ 

xNfNc  +  p{l-p)Tlyk) 

(22) 


where  f(yk )  is  given  in  (15),  which  is  the  objective  func¬ 
tion  in  the  coordinated  mode.  Hence,  finding  yk  that 
maximizes  g(yk)  is  equivalent  to  finding  y*k  that  maxi¬ 
mizes  f(yk ).  Therefore,  y\  also  minimizes  the  message 
invalidation  probabilities  in  uncoordinated  mode.  □ 

Remark  4.  Despite  the  evident  performance  difference 
between  coordinated  and  uncoordinated  communica¬ 
tions,  Theorem  4  illustrates  that  their  delay  performance 
can  be  optimized  at  the  same  time  by  choosing  one  opti¬ 
mum  traffic  load  in  the  network.  In  the  smart  grid,  a 
node's  traffic  load  is  usually  static  and  quite  unsaturated 
for  real-time  power  management.  For  example,  wireless 
monitoring  for  substation  transformers  only  needs  to 
transmit  a  message  every  second  [2].  This  indicates  that 
in  general,  we  should  intentionally  increase  a  certain 
amount  of  redundant  traffic  to  obtain  the  optimal  traffic 
load.  Then,  legitimate  messages  can  have  a  chance  to  be 
successfully  delivered  during  the  period  that  jamming 
attacks  attempt  to  disrupt  redundant  traffic.  We  name 
such  traffic  as  camouflage  traffic  since  it  serves  as  camou¬ 
flage  to  "hide"  legitimate  traffic  from  attacks. 


4  TACT  System 

We  have  shown  that  for  both  coordinated  and  uncoordi¬ 
nated  communications  in  wireless  smart  grid  applica¬ 
tions,  the  delay  performance  is  sensitive  to  the  network 
traffic  load  under  jamming  attacks.  As  a  result,  generating 
camouflage  traffic  is  promising  to  improve  the  worst-case 
delay  performance.  In  this  section,  we  present  our  adap¬ 
tive  method  that  generates  camouflage  traffic  to  minimize 
the  message  delivery  delay  in  wireless  networks  for  smart 
grid  applications. 

4.1  Motivation  and  Method  Design 

Our  objective  is  to  design  a  feasible  method  to  minimize  the 
worst  case  delay  performance  for  practical  wireless  smart 
grid  applications  under  jamming  attacks.  We  first  describe 
the  general  idea  of  our  method,  which  can  be  used  for  both 
coordinated  and  uncoordinated  communication  modes. 
Notice  that  Theorem  2  shows  that  the  optimal  load  yk  is  a 
function  of  message  transmission  time  TL,  which  depends 
on  message  length  L.  If  all  nodes'  messages  have  the  same 
length,  the  optimal  load  for  every  node  will  be  the  same, 
i.e.,  y*  —  y\—  ■  •  ■  =  y*m.  However,  in  the  smart  grid,  a 
node  has  different  message  types  with  distinct  lengths.  For 
example,  monitoring  and  control  messages  in  substations 
can  have  lengths  of  98  and  16  bytes  [19],  respectively.  Thus, 
it  is  impossible  to  use  one  optimal  load  to  minimize  the 
delay  for  all  message  types.  A  reasonable  choice  is  to  gener¬ 
ate  camouflage  traffic  at  the  optimal  point  to  minimize  the 
delay  for  the  most  time-critical  messages,  since  such  mes¬ 
sages  are  of  the  most  importance  and  generally  used  for 
protection  procedures  [14],  [19].  Therefore,  to  obtain  the 
optimal  traffic  load  y*k,  Tl  is  chosen  to  be  the  transmission 
time  of  the  most  time-critical  messages.  Then,  we  have 
Yl  =  V*2  =•  •  •=  Y*m- 

It  is  also  worthy  of  mention  that  the  optimal  traffic  load 
yl  is  a  function  of  the  jammer's  sensing  time  r.  As  r  varies 
in  practice,  it  is  difficult  to  pre-configure  network  setups  to 
generate  camouflage  traffic  at  the  optimal  load.  An  appro¬ 
priate  strategy  is  to  adaptively  generate  traffic  at  each  node 
into  the  network  such  that  the  overall  network  traffic  load 
can  be  balanced  around  the  optimum.  Thus,  we  design  the 
TACT  method  (transmitting  adaptive  camouflage  traffic). 
The  intuition  behind  TACT  is  two-fold.  1)  TACT  should 
avoid  node  coordination.  Admittedly,  node  coordination 
can  further  help  improve  the  delay  performance.  However, 
it  introduces  an  additional  security  issue  of  coordination 
message  delivery  under  jamming.  Thus,  TACT  should  be  of 
distributed  nature,  inducing  the  minimum  complexity  and 
node  coordination.  2)  Since  the  worst-case  message  delay  is 
minimized  at  a  positive  traffic  load,  TACT  should  always 
attempt  to  increase  the  traffic  load.  If  the  performance  is 
degraded  after  the  increase,  it  can  reduce  the  load. 

Accordingly,  we  propose  to  implement  the  TACT 
method  at  every  node  in  a  wireless  network  for  the  smart 
grid.  As  shown  in  Algorithm  1,  TACT  measures  the  deliv¬ 
ery  results  of  probing  messages  to  adjust  the  amount  of 
camouflage  messages  in  the  network.  Each  camouflage  mes¬ 
sage  is  transmitted  on  a  randomly  selected  frequency/ code 
channel.  When  TACT  is  deployed,  there  are  three  major 
traffic  types  in  the  network:  i)  routine  traffic  for  power 
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Fig.  6.  How  TACT  balances  the  network  traffic. 


monitoring  and  control,  which  cannot  be  changed  as  it  is 
coupled  with  setups  of  power  devices,  ii)  probing  traffic  for 
performance  measurement,  its  message  transmission  time 
equals  to  Tl,  iii)  camouflage  traffic  to  balance  the  overall  net¬ 
work  traffic  load.  Fig.  6  shows  an  example  of  traffic  dynam¬ 
ics  caused  by  TACT:  in  the  first  observation  period,  two 
probing  messages  are  both  ACKed,  meaning  that  current 
traffic  load  is  not  harmful.  Then,  TACT  sends  one  more 
camouflage  message  in  the  next  observation  period.  The 
traffic  load  will  keep  being  increased  until  it  reaches  the 
optimum,  and  finally  fluctuate  around  the  optimum. 

Algorithm  1  :  TACT  at  Each  Node. 

Given:  L/Lm[n,LYn8iy:/^inc/^.(^ec.  Init:  Afprev  =  0,L  =  Lm-lu 

repeat 

Transmit  probing  messages  in  observation  period. 

Measure  the  number  of  ACKs,  Mnow* 

if  Performance  not  degraded  (Mnow  >  Mprev)  then 
Increase  the  traffic  load:  L  min(L  +  Ainc,  Lmax). 

else 

Decrease  the  traffic  load:  L  max(L— Adec>  Lm in). 

end  if 

Record  history:  Mprev  <—  Mnow- 
until  TACT  is  disabled. 


4.2  Uniform  Optimum 

When  TACT  is  deployed  at  node  k,  it  starts  to  increase  node 
k's  traffic  load  A^.  However,  increasing  cannot  improve 
node  k's  own  delay  performance  since  P (Dk  >  o)  is  not  a 
function  of  A&  but  a  function  of  yk  =  Yf!jLij^k  Ar  By  trans" 
mitting  more  traffic  into  the  network,  node  k  in  fact 
improves  the  network  traffic  loads  yi  (i  ^  k)  observed  at 
other  nodes.  At  the  same  time,  node  k  is  expecting  others  to 
do  the  same  to  help  itself.  Thus,  the  efficiency  of  TACT 
relies  on  such  homogenous  behavior  in  all  nodes,  which 
however  cannot  be  guaranteed  when  nodes  have  evidently 
heterogenous  traffic  rates.  Consider  an  extreme  case:  there 
are  two  nodes  (nodes  1  and  2)  with  routine  traffic  rates  of  1 
and  1,000  messages /s,  respectively.  The  optimal  loads  y\  = 
y\  —  1,000  under  a  reactive  jammer.  Initially,  y1  — 

\  =  M00  and  Y2  =  Ej=l,j¥2  \  =  L  When  TACT 
starts,  node  2  is  far  from  the  optimum  and  keeps  increasing 
its  traffic  load.  In  contrast,  node  1  immediately  reaches  the 
optimum  and  never  generates  more  traffic  to  help  node  2. 

Therefore,  in  order  to  ensure  uniform  optimum  over  all 
nodes,  a  solution  is  to  mandate  every  node  have  the  same 
minimum  traffic  load,  regardless  of  their  different  routine 
traffic  rates.  This  can  be  achieved  by  assigning  different  min¬ 
imum  camouflage  traffic  loads  Lmin  (as  given  in  Algorithm  1) 
to  different  nodes.  Specifically,  let  node  k's  minimum  cam¬ 
ouflage  traffic  load  LJ^n(k)  «=  maxi<*<ma^  —  ot^,  where 
denotes  the  (fixed)  routine  traffic  load  at  node  i.  Thus,  the 
minimum  overall  traffic  load  must  be  transmitted  by  every 


node  is  uniformly  equal  to  maxi<j<mc^.  In  the  previous 
example,  we  can  assign  Lmin  =  999  and  0  to  nodes  1  and  2, 
respectively.  Then,  both  nodes  can  have  the  optimal  traffic 
load  when  TACT  starts.  If  the  optimal  load  is  1,500  mes¬ 
sages/s,  both  nodes  will  increase  their  camouflage  traffic 
loads  until  reaching  the  optimum.  In  the  next  section,  we  use 
experiments  to  show  the  effectiveness  of  TACT. 

4.3  TACT  in  Coordinated  and  Uncoordinated  Modes 

So  far,  we  have  presented  the  fundamentals  of  TACT  to 
minimize  the  worst-case  message  delay  under  jamming 
attacks.  Although  we  have  shown  that  uncoordinated  w 
communication  is  not  appropriate  for  time-critical  applica¬ 
tions,  it  is  still  essential  to  establish  the  secret  key  for  coordi¬ 
nated  communication.  As  a  result,  both  communication 
modes  are  indispensable  to  fully  secure  communications  for 
time-critical  applications  in  the  smart  grid.  Specifically, 
uncoordinated  mode  is  used  for  key  establishment  and 
update.  After  the  secret  key  is  established  or  updated,  the 
two  communicators  can  use  coordinated  mode  to  exchange 
information  based  on  the  secret  key.  Hence,  to  substantially 
improve  the  performance  of  a  wireless  smart  grid  applica¬ 
tion  with  jamming  resilience,  TACT  should  be  adapted  to 
both  coordinated  and  uncoordinated  communications.  This 
means  that  TACT  must  be  enabled  as  long  as  a  node  is 
active,  regardless  of  the  mode  on  which  it  operates.  Accord¬ 
ingly,  we  summarize  the  complete  jamming-resilient  com¬ 
munication  scheme  with  TACT  in  Algorithm  2. 

Algorithm  2  :  Communication  Scheme  with  TACT. 
Initialization:  Enable  TACT, 
repeat 

Mode  Uncoordinated  mode. 

Obtain  key  K  and  period  Tk  from  gateway. 

Mode  4—  Coordinated  mode. 

Use  A  for  a  period  of  Tk . 
until  The  node  leaves  the  network. 


In  Algorithm  2,  all  the  keys  of  a  node  is  obtained  from 
the  gateway  via  uncoordinated  communication.  If  two 
nodes  want  to  communicate  with  each  other,  they  also 
need  to  request  the  key  for  such  communication  from  the 
gateway.  Hence,  the  gateway  can  be  considered  as  a  key 
management  center  in  the  network.  It  is  worthy  of  note 
that  in  Algorithm  2,  every  node  operates  on  either  uncoor¬ 
dinated  or  coordinated  mode.  The  gateway,  however,  is 
required  to  operate  on  both  modes  simultaneously.  Unlike 
IEDs  that  are  embedded  computers  on  power  infrastruc¬ 
tures,  the  gateway  is  usually  a  computer  server  equipped 
with  powerful  computing  and  communication  abilities  [5]; 
thus,  it  is  reasonable  to  assume  that  the  gateway  is  capable 
of  operating  on  both  modes. 

4.4  Discussion  on  Improving  TACT 

In  Algorithm  2,  we  can  see  that  when  an  IED  joins  the  net¬ 
work,  it  starts  to  adaptively  transmit  camouflage  traffic  until 
it  observes  performance  degradation  at  a  certain  load,  then 
remains  approximately  at  the  load.  This  inevitably  leads  to  a 
fair  amount  of  redundant  traffic  and  a  waste  of  energy  used 
to  transmit  such  traffic  even  when  there  is  no  attack. 
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Fig.  7.  Anti-islanding  procedure  in  Green  Hub. 

Although  we  know  that  in  this  case,  the  delay  is  still  upper 
bounded  by  the  guaranteed  performance  given  in  Theorem  1, 
it  is  quite  desirable  to  avoid  such  traffic  in  normal  system 
operations.  To  this  end,  we  can  deploy  a  reactive  jamming 
detector  [26]  in  each  IED,  TACT  is  triggered  and  starts  to 
transmit  camouflage  traffic  only  when  an  attack  is  detected. 

It  is  worth  noting  that  the  distributed  nature  of  TACT 
requires  the  minimum  node  coordination,  in  which  each 
node  sends  camouflage  traffic  on  randomly  selected  chan¬ 
nels.  Such  traffic  may  collide  with  legitimate  one;  thus, 
node  coordination  may  further  improve  the  efficiency  of 
TACT,  which  can  be  achieved  by  letting  the  gateway  node 
assign  carefully-designed  transmission  patterns  for  camou¬ 
flage  traffic  at  each  node. 

5  Smart  Grid  Anti-Islanding:  Secure  Key 
Establishment  and  Communication 

We  have  found  that  there  exists  an  optimal  traffic  load  to 
minimize  the  worst-case  message  delay,  and  carefully 
designed  the  distributed  TACT  method  to  achieve  the  opti¬ 
mal  load.  In  this  section,  we  aim  at  implementing  a  practical 
TACT  based  system  to  optimize  the  delay  performance  of 
an  important  smart  grid  application,  anti-islanding,  under 
jamming  attacks  in  our  experimental  micro  smart  grid. 
Green  Hub. 

5.1  Anti-Islanding  for  a  Micro  Smart  Grid 

Our  goal  is  to  use  real-world  experiments  to  show  the  effec¬ 
tiveness  of  TACT  to  improve  the  delay  performance  of 
a  wireless  application  in  the  smart  grid  under  jamming 
attacks.  In  the  following,  we  first  introduce  the  smart  grid 
system  used  in  the  experiments.  North  Carolina  State  Uni¬ 
versity  has  established  a  micro  smart  grid.  Green  Hub,  to 
test  key  smart  grid  components,  such  as  solid-state  trans¬ 
former  (SST),  wireless  networking,  and  dynamic  spectrum 
access  [27]  for  the  smart  grid.  Green  Hub  includes  two 
solar-array  based  photovoltaic  (PV)  systems  as  distributed 
energy  resources. 

An  important  protection  procedure  for  distributed 
energy  resources  is  anti-islanding.  In  power  engineering, 
islanding  [28]  refers  to  the  condition  in  which  distributed 
energy  resources  continue  power  supply  even  though  the 
electric  utility  is  disconnected.  Unintentional  islanding  can 
cause  many  problems,  such  as  damaging  customers'  loads 
and  harming  distributed  energy  resources  [28].  Thus,  anti¬ 
islanding  procedures  must  be  deployed  in  power  systems 
to  prevent  any  unintentional  islanding. 

Fig.  7  shows  an  anti-island  procedure  in  Green  Hub: 
when  the  utility  supply  is  disconnected,  the  SST  detects  the 
islanding  and  sends  an  anti-islanding  message  to  the  PV 
system  to  make  the  system  stop  generating  power.  The 
delay  threshold  of  such  a  message  is  150-300  ms  [3]. 


% 

gateway  ^ 

. 

jammer 

Fig.  8.  Attack  scenario  in  the  anti-islanding  network. 

5.2  System  Setups 

Network  setup.  There  have  been  several  wireless  testing  net¬ 
works  for  anti-islanding  in  the  power  engineering  commu¬ 
nity  [3],  [28].  In  this  work,  we  use  universal  software  radio 
peripheral  (USRP)  devices  with  GNU  Radio  to  set  up  a  fre¬ 
quency-hopping  based  wireless  network  to  provide  jam¬ 
ming  resilience  for  the  anti-islanding  application.  Green 
Hub  has  two  PV-SST  pairs  for  anti-islanding  protection. 
Each  device  is  connected  to  an  IED  for  communication. 
Thus,  the  network  consists  of  four  IEDs  and  a  gateway  for 
centralized  management.  Each  IED's  routine  traffic  is  one 
message  of  status  update  to  the  gateway  every  second.  Both 
IEDs  and  the  gateways  use  USRPs  to  communicate  with 
each  other. 

Spread  spectrum  systems.  The  network  uses  eight  fre¬ 
quency  hopping  channels  at  the  2.4  GHz  band,  each  of 
which  uses  BPSK  modulation  and  has  a  bandwidth 
of  125  KHz,  resulting  in  a  total  network  bandwidth  of 
1  MHz.  The  length  of  an  anti-islanding  message  is 
400  bytes,  thereby  leading  to  a  transmission  time  of 
(400*8)/125  =  25.6  ms.  The  delay  threshold  is  set  to  be 
150  ms.  The  application  layer  at  each  IED  transmits  one 
message  four  times.  Thus,  the  secret  key  shared  by  each 
transmit-receive  pair  is  a  frequency-hopping  pattern 
with  four  hops.  For  TACT,  the  lengths  of  probing  and 
camouflage  messages  are  set  to  be  400  and  1,000  bytes, 
respectively.  Note  that  we  choose  long  camouflage  mes¬ 
sages  to  increase  the  chance  that  a  reactive  jammer 
senses  and  jams  such  messages. 

Jamming  attacks.  We  also  set  up  a  USRP-based  jammer 
with  operational  bandwidth  of  125  KHz.  When  it  is  non¬ 
reactive,  it  keeps  broadcasting  jamming  pulses,  each  of 
which  is  sent  on  a  randomly  selected  channel.  When  it  is 
reactive,  it  uses  an  energy  detector  to  scan  all  eight  hop¬ 
ping  channels  one  by  one,  and  jams  any  on-going  trans¬ 
mission  as  long  as  it  senses  energy  activity.  The 
jamming  pulse  duration  is  set  to  be  1  ms. 

Attack  scenario.  The  attack  scenario  is  illustrated  in  Fig.  8: 
all  IEDs  (SST1,  PV1,  SST2,  and  PV2)  inform  the  gateway  of 
their  status  every  second.  If  SST1  or  SST2  detects  an  island¬ 
ing,  it  will  send  to  its  counterpart  an  anti-islanding  message. 
The  jammer  targets  SST2  and  attempts  to  disrupt  SST2's 
messages  to  PV2. 

5.3  Experimental  Results 

When  the  network  is  set  up,  all  IEDs  first  communicate 
uncoordinatedly  with  the  gateway  to  obtain  their  secret 
keys  of  channel  assignments,  then  use  the  keys  to  communi¬ 
cate  in  a  coordinated  manner.  As  a  result,  we  first  consider 
the  uncoordinated  case;  i.e.,  we  first  evaluate  how  TACT 
can  improve  the  delay  performance  of  key  establishment, 
and  then  move  on  to  the  coordinated  case. 
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Fig.  9.  Uncoordinated:  Average  key  establishment  delay  versus  per-  Fig.  10.  Coordinated:  Message  invalidation  probability  versus  traffic 
node  network  traffic  load.  load. 


5. 3. 1  Key  Establishment 

We  consider  key  establishment  based  on  uncoordinated 
communication:  every  node  keeps  sending  key  requests  to 
the  gateway  on  uniformly  selected  frequency  channels.  At 
the  same  time,  the  gateway  uniformly  chooses  a  frequency 
channel  to  receive.  A  message  is  delivered  only  when  a 
node  and  the  gateway  reside  on  the  same  channel.  We 
define  the  delay  of  the  key  establishment  for  a  node  is  the 
time  duration  from  the  instant  that  the  node  sends  the  first 
key  request  to  the  instant  that  the  node  receives  the  reply 
from  the  gateway. 

Fig.  9  illustrates  the  mean  delay  of  key  establishment  as 
a  function  of  the  network  traffic  load  under  both  non-reac¬ 
tive  jamming  and  reactive  jamming.  We  can  observe  from 
Fig.  9  that  reactive  jamming  always  induces  larger  key 
establishment  delay  than  non-reactive  jamming  for  uncoor¬ 
dinate  communication,  which  indicates  that  we  should 
always  consider  the  reactive  jamming  as  the  worst-case 
scenario  for  uncoordinate  communication.  Note  that  Fig.  9 
exhibits  a  U-shaped  curve  for  the  delay  performance  under 
reactive  jamming,  showing  that  under  reactive  jamming, 
there  always  exists  a  traffic  load  to  minimize  the  average 
key  establishment  delay.  As  a  result,  TACT  that  is  primar¬ 
ily  designed  to  counter-attack  reactive  jamming  by 
achieving  the  optimal  traffic  load,  should  be  useful  to  sub¬ 
stantially  decrease  the  key  establishment  delay  in  the  wire¬ 
less  anti-islanding  scenario. 

Next,  we  enable  TACT  at  every  node  and  evaluate  the 
effectiveness  of  TACT  on  uncoordinated  communication 
under  reactive  jamming.  During  experiments,  we  set  the  fol¬ 
lowing  TACT  parameters:  Lmin  —  0,  Lmax  —  30,  A^nc  —  2, 
Adec  =  2,  and  ten  probing  messages  are  sent  every  second. 
Table  1  illustrates  the  average  key  establishment  delay 
under  three  scenarios:  i)  frequency  hopping  under  reactive 
jamming  (TACT  is  off),  ii)  frequency  hopping  with  camou¬ 
flage  traffic  (TACT  is  on),  iii)  baseline  performance  (no 
jamming,  no  TACT).  It  is  observed  from  Table  1  that  unco¬ 
ordinated  communication  based  key  establishment  incurs 
fairly  large  delay  even  for  the  baseline  (no-jamming  case) 
performance  that  have  the  average  delay  of  814  ms.  This  is 

TABLE  1 

Average  Delay  in  Uncoordinated  Communication 


Setups: 

TACT  off 

TACT  on 

Baseline 

Delay  : 

24.2  s 

5.61  s 

0.814  s 

due  to  the  opportunistic  nature  of  uncoordinated  communi¬ 
cation.  Under  reactive  jamming,  we  can  see  that  the  key 
establishment  delay  increases  to  24.2  s.  However,  when 
TACT  is  enabled,  the  delay  decreases  dramatically  to  5.61  s, 
as  shown  in  Table  1.  Therefore,  TACT  is  very  effective  to 
improve  the  delay  performance  for  key  establishment  in  the 
smart  grid. 

5. 3.2  Jamming-Resilient  Communication 
Next,  we  consider  the  coordinated  mode  after  the  key  is 
established.  We  evaluate  the  impact  of  both  reactive  and 
non-reactive  jammers  on  the  anti-island  application.  We 
generate  camouflage  messages  at  rates  of  0-30  messages/s. 
Fig.  10  shows  that  the  message  invalidation  probability  as  a 
function  of  the  camouflage  traffic  rate  of  each  IED.  We  can 
see  from  Fig.  10  that  reactive  jamming  always  leads  to  worse 
performance  than  non-reactive  jamming,  indicating  that 
reactive  jamming  should  be  considered  as  the  worst-case 
scenario.  Thus,  in  the  following,  we  will  only  consider  reac¬ 
tive  jamming.  Fig.  10  also  shows  that  the  message  invalida¬ 
tion  probability  induced  by  reactive  jamming  is  a  U-shaped 
function  of  the  traffic  load.  We  can  see  that  the  message 
invalidation  probability  decreases  from  41.2  to  0.82  percent 
as  the  camouflage  traffic  load  goes  from  0  to  15  messages /s. 

Then,  we  consider  the  delay  performance  with  different 
delay  thresholds  of  150,  190,  and  230  ms  under  reactive 
jamming.  If  the  delay  threshold  becomes  larger,  we  can 
transmit  the  same  message  more  times  to  ensure  more  reli¬ 
ability.  Thus,  the  transmissions  have  five,  six,  and  seven 
hops  (transmission  attempts)  for  messages  with  delay 
thresholds  of  150,  190,  and  230  ms,  respectively.  Fig.  11 


Traffic  Load  (Messages  per  Second) 

Fig.  11.  Coordinated:  Message  invalidation  probability  with  different 
delay  thresholds. 
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TABLE  2 

Message  Invalidation  in  Coordinated  Communication 


Setups: 

TACT  off 

TACT  on 

Baseline 

Delay  : 

41.2% 

0.9076% 

0.0532% 

shows  that  the  message  invalidation  probabilities  for  dif¬ 
ferent  delay  thresholds.  In  addition,  we  also  compare  the 
worst-case  bounds  in  Theorem  2  with  the  experimental 
results,  as  shown  in  Fig.  11.  Although  we  can  see  that  that 
there  exists  a  small  and  non-uniform  gap  between  the 
worst-case  bound  and  the  experimental  measurement  for 
each  delay  threshold,  the  performance  trends  shown  by 
the  experimental  results  do  match  the  theoretical  predica¬ 
tion  and  the  U-shape  phenomena,  which  indicates  that  the 
worst-case  bound  in  Theorem  2  is  tight  to  predict  realistic 
jamming  impacts. 

Next,  we  evaluate  the  effectiveness  of  TACT  against  reac¬ 
tive  jamming  in  coordinated  communication.  We  use  the 
same  setups  in  Table  1.  Table  2  illustrates  message  invalida¬ 
tion  probabilities  in  three  scenarios:  i)  frequency  hopping 
under  reactive  jamming  (TACT  is  off),  ii)  frequency  hop¬ 
ping  with  camouflage  traffic  (TACT  is  on),  iii)  baseline  per¬ 
formance  (no  jamming,  no  TACT).  It  is  observed  from 
Table  2  that  TACT  decreases  the  message  invalidation  prob¬ 
ability  from  41.2  to  0.9076  percent.  Although  TACT  does  not 
achieve  the  minimum  probability  of  0.82  percent  shown  in 
Fig.  10,  it  still  improves  the  delay  performance  in  order  of 
magnitude  under  reactive  jamming.  Note  that  the  baseline 
performance  in  Table  2  shows  a  positive  message  invalida¬ 
tion  probability.  This  is  because  error  correction  is  not  used 
in  our  experiments  in  order  to  reduce  the  GNU  Radio  proc¬ 
essing  delay. 

Table  3  shows  the  message  invalidation  probability  as  a 
function  of  the  number  of  frequency-hopping  channels  Ay- 
under  reactive  jamming.  It  is  known  that  increasing 
Nf  can  reduce  the  message  delay  for  spread  spectrum 
communication,  as  more  spectrum  resources  are  used. 
Table  3  illustrates  that  when  Nf  goes  from  6  to  12,  the  mes¬ 
sage  invalidation  probability  in  the  frequency-hopping-only 
(no  TACT)  scenario  decreases  from  92.3  to  10.1  percent; 
while  TACT  can  further  reduce  the  probability  from  10.1  to 
0.21  percent.  As  a  result,  TACT  is  a  promising  mechanism 
that  offers  a  new  dimension  to  improve  the  delay  perfor¬ 
mance  for  smart  grid  communication. 

5.4  Discussions 

In  our  experiments,  both  IEDs  and  jammer  have  low  opera¬ 
tional  bandwidth  of  125  KHz,  which  is  due  to  the  limit  proc¬ 
essing  capability  of  the  USRP-to-PC  architecture.  Thus,  our 
goal  is  not  to  design  a  commercial  anti-islanding  system, 
but  to  demonstrate  a  proof-of-concept  application  of  TACT 
in  the  smart  grid. 

We  observed  that  TACT  achieved  nearly-optimal  perfor¬ 
mance.  It  is  challenging  to  design  an  adaptive  method  that 
always  works  at  the  optimal  load.  However,  the  concept  of 
transmitting  camouflage  traffic  can  lead  to  more  TACT-like 
methods  to  further  improve  the  delay  performance  for  wire¬ 
less  smart  grid  applications. 

Currently,  both  legitimate  and  camouflage  traffic  is  blind 
to  all  legitimate  receivers  and  attackers,  which  is  the 


TABLE  3 

Message  Invalidation  versus  Number  of  Hopping  Channels 


Number  of  Channels  (Nf): 

6 

8 

10 

12 

TACT  off: 

92.3% 

68.1% 

41.2% 

10.1% 

TACT  on: 

15.1% 

6.01% 

0.831% 

0.212% 

simplest  setup  for  the  attackers  to  have  no  ability  to  identity 
legitimate  traffic  from  camouflage  traffic,  which  on  the  other 
hand  causes  collisions  between  legitimate  and  camouflage 
traffic  transmissions.  We  will  explore  smart  ways  to  avoid 
such  collisions  in  the  future  work. 

We  also  emphasize  that  our  methodology  in  this  paper 
is  to  optimize  the  worst-case  performance  to  offer  perfor¬ 
mance  guarantee  for  smart  grid  applications.  Therefore, 
our  worst-case  optimization  does  not  necessarily  means  a 
uniformly  optimal  solution  to  all  cases.  This  indicates  that 
when  a  jammer  constantly  changes  its  jamming  behavior, 
our  countermeasure  may  not  keep  providing  optimal  solu¬ 
tions  against  each  behavior.  However,  despite  the  jammer's 
varying  strategies,  its  induced  performance  is  always 
bounded  by  the  worst  case.  Therefore,  as  long  as  we 
design  our  countermeasures  based  on  the  worst  case,  we 
can  always  provide  performance  guarantee  under  any 
attack  behavior,  which  is  our  goal  and  also  essential  for 
smart  grid  applications. 

6  Conclusion 

In  this  paper,  we  provided  a  comprehensive  study  on  mini¬ 
mizing  the  message  delay  for  smart  grid  applications  under 
jamming  attacks.  By  defining  a  generic  jamming  process, 
we  showed  that  the  worst-case  message  delay  is  a  U-shaped 
function  of  network  traffic  load.  We  designed  a  distributed 
method,  TACT,  to  generate  camouflage  traffic  to  balance 
the  network  load  at  the  optimal  point.  We  showed  that 
TACT  is  a  promising  method  to  significantly  improve  the 
delay  performance  in  the  smart  grid  under  jamming  attacks. 
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